Topic: Portforwarding not working after fresh install & updates

[pwinkler]

i am trying to forward port 3389 (terminal services) to a server behind sme server and it is not working.

I have this working on two other servers on the same site but this one does not want to work.

As mentiond above this is a fresh install with updates applied.

What do I look for?

Pls help

[guest22]

Hi,

Which version, what updates?

RequestedDeletion

[pwinkler]

SME 6.0.1-01 and the updates from the update script
on this thread

http://forums.contribs.org/index.php?topic=24285.0

[guest22]

Hi Pwinkler,

Please keep in mind that the updatescript is not an 'official' contribs. Next to that I do not see anything within the mentioned script that could harm the default portfowarding functionality.

I personally portforward 3389 on some setups with SME Server 6.0.1-01 with no problems. Did you sniff already to see if the port is indeed forwarded?

RequestedDeletion

[pwinkler]

What updates are "contribs" or what should i install after a basic install?

I have tried to telnet to the ip on port 3389 and get
"could not open a connection to host.. connect failed"

[guest22]

Take a look at '/etc/init.d/masq' and look for 3389. If it's in there then SME Server is doing it's job

RequestedDeletion

[pwinkler]

there is no "3389" in /etc/rc.d/init.d/masq

[guest22]

Then what you describe is correct

How did you try to port forward? If it is via the server manager (default) then remove and add again just to see what happens.

Any chance you have a custom template/fragment regarding masq?

btw: joining IRC on freenode # sme-server would get you to 'live' people

guest

[pwinkler]

I have already deleted & re-entered the portforwarding using the panel a couple of times and again just now, I also checked /etc/init.d/masq again to see if there was any change but no!

[guest22]

Ok, time to get it working first and then find out what's wrong

Create a custom template by copying /etc/e-smith/templates/etc/rc.d/init.d/91AdjustPortForward

to /etc/e-smith/custom-templates/etc/rc.d/init.d/91AdjustPortForward
/etc

then edit the custom template fragment by adding the below rule:

# Start portforwarding rule port 3389 MS-TS
--destination-port 3389 -j DNAT --to-destination 192.168.5.3:3389
adjust_tcp_in 3389 ACCEPT ForwardedTCP_$$ 192.168.5.3/32
# End portforwatding rule

so the section looks like:
# Create a new PortForwarding chain
PFC=$(/sbin/iptables --table nat --numeric --list PortForwarding |\
   sed -n '3s/ .*//p')
    /sbin/iptables --table nat --new-chain PortForwarding_$$
    /sbin/iptables --table nat --append PortForwarding_$$ --protocol tcp \
         --destination-port 3389 -j DNAT --to-destination 192.168.5.3:3389
    adjust_tcp_in 3389 ACCEPT ForwardedTCP_$$ 192.168.5.3/32
    /sbin/iptables --table nat --replace PortForwarding 1 --destination $OUTERNET --jump PortForwarding_$$
    /sbin/iptables --table nat --flush $PFC
    /sbin/iptables --table nat --delete-chain $PFC

where 192.168.5.3 is the IP address of the accepting machine.

Expand the new template fragment and restart masq

Portforwarding 3389 should now work.

RequestedDeletion

[pwinkler]

Thanks for your help thus far RequestedDeletion.

I tried copying
/etc/e-smith/templates/etc/rc.d/init.d/masq/91AdjustPortForward

to
 
/etc/e-smith/custom-templates/etc/rc.d/init.d/91AdjustPortForward
/etc

Mybe I'm a bit thick but I can't find the second path path or anything like it!

Do you want me to create it?

Anyway, I have copied & edited the  template as per your instructions.

Thanks again!

[guest22]

Yep, you need to create the path: /etc/e-smith/custom-templates/etc/rc.d/init.d/

RequestedDeletion

[compdoc]

you sure youre forwarding to the right internal IP address? And that the hardware is right? I've never seen port forwarding fail in any release of SME - even when you had to install your own server panel.

[rmoria]

Same problem here.

Fresh install of 6-01-01. I did not use the install-script, but I did use a lot of the same contribs.

Trying to change the template did not help (or work) up till now.
I have to change a lot more ports (not just 3389).

Is there somewhere else we can look.

[guest22]

Hi,

Well I guess it's time to check te contribs used. A fresh install of SME Server 6.0.1-01 works perfectly. Maybe you guys can team up and find out what contributions you have in common?

RequestedDeletion

[rmoria]

I installed:

scripted:
Antivirus (latest by Knuddi)
Spamassasin (latest by Knuddi)
Dshield
php4.3.8-upgrade
webshare
dhcpconfig V0.3.3beta(suspect ?)

RPM:
awstats
backup2ws
crontab manager
lazyadmin tools
navmanager
netPBM
Samba 3.0
Sarg
Sysmon
Userpanel
Winupd
updates (al in directory from Knuddi)

Rob
(not trained enough to figure it out by himself)

[pwinkler]

I used the update script (http://forums.contribs.org/index.php?topic=24285.0) so all the contribs in that script and the only other contribs were the services panel & isoqlog

[rmoria]

Not having any patiance, I started a new installation to see if the problem lies with one of the installed contribs.

After a fresh install and restore (originaly made on a SME 6beta3) port forwarding is not already not working.
Same with remote access settings.
No contribs are installed.

[rmoria]

Yes!
My problem lay in the backup / restore action. After removing all custom templates and practacly all files in the /home/e-smith directory (config files) from the backup gz/tar it works fine, even with all contribs.

I just have to setup all settings again    but at least I can.

[Nicky]

Replace /etc/e-smith/templates/etc/rc.d/init.d/masq/91ajustPortForward with this:

# ------------------------ cut here ----------------------------------------
#
# Corrected UDP PortForwarding Bug! (by Néstor D. Díaz - nestorddiaz@matelogic.com.ar)
#

{
my $pf_chain = "PortForwarding_\$\$";
$OUT .= "# Create a new PortForwarding chain\n";
$OUT .= "PFC=\$(/sbin/iptables --table nat ";
$OUT .= "--numeric --list PortForwarding |\\\n";
$OUT .= " sed -n '3s/ .*//p')\n";
$OUT .= " /sbin/iptables --table nat --new-chain $pf_chain\n";

foreach my $protocol (qw(tcp udp))
{
my $uproto = uc $protocol;
my $propname = $uproto . "Forwards";
my %forwards = split(/,/, $masq{$propname} || '');
foreach my $port (keys %forwards)
{
my ($ip, $dport) = split(/:/, $forwards{$port});
$port =~ s/-/:/;
$OUT .= " /sbin/iptables --table nat --append $pf_chain " .
"--protocol $protocol \\\n".
# Set up local port to forward
" --destination-port ${port} -j DNAT " .
# Set up the remote port to forward to
"--to-destination $ip";
# Append the dport if any.
$OUT .= ":$dport" if $dport;
$OUT .= "\n";
# And accept the incoming packets. Use the dport if there is one.
($port = $dport) =~ s/-/:/ if $dport;
# If this rule is forwarding to localhost, ExternalIP or LocalIP,
# then we must allow it on the INPUT chain instead of the FORWARD
# chain.
if (($ip eq '127.0.0.1') ||
($ip eq $InternalInterface{IPAddress}))
{
# Bad doggie! Bad!
die "Port-forwarding to localhost or internal interface not permitted.\n";
}
elsif ($ip eq $ExternalInterface{IPAddress})
{
if ($uproto eq 'tcp')
{
$OUT .= " adjust_tcp_in $port ACCEPT Inbound${uproto}_\$\$\n";
}
else
{
$OUT .= " adjust_udp_in $port ACCEPT Inbound${uproto}_\$\$\n";
}
}
else
{
if ($uproto eq 'tcp')
{
$OUT .= " adjust_tcp_in $port ACCEPT Forwarded${uproto}_\$\$ $ip/32\n";
}
else
{
$OUT .= " adjust_udp_in $port ACCEPT Forwarded${uproto}_\$\$ $ip/32\n";
}
}
}
}

# having created a new PortForwarding chain, activate it and destroy
# the old.
$OUT .= " /sbin/iptables --table nat --replace PortForwarding 1 " .
"--destination \$OUTERNET --jump $pf_chain\n";
$OUT .= " /sbin/iptables --table nat --flush \$PFC\n";
$OUT .= " /sbin/iptables --table nat --delete-chain \$PFC\n";
}
# ------------------------ cut here ----------------------------------------

Or Download this file from:
http://www.matelogic.com.ar/91adjustPortForward

Cheers!

[Nicky]

Sorry!!!

Where "if ($uproto eq 'tcp')" must say "if ($protocol eq 'tcp')".

Download from here:
http://www.matelogic.com.ar/91adjustPortForward

[Nicky]

Example of the Bug:
-----------------------

Some IPTables Rules:

Chain ForwardedTCP (1 references)
target prot opt source destination
ForwardedTCP_24182 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN

Chain ForwardedTCP_24182 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere pc-00007.matelogic.com.artcp dpt:4890
ACCEPT tcp -- anywhere pc-00069.matelogic.com.artcp dpt:4357
ACCEPT tcp -- anywhere pc-00007.matelogic.com.artcp dpt:4500
ACCEPT tcp -- anywhere pc-00069.matelogic.com.artcp dpt:4889

Chain ForwardedUDP (1 references)
target prot opt source destination
ForwardedUDP_24182 all -- anywhere anywhere
denylog udp -- anywhere anywhere

Chain ForwardedUDP_24182 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere pc-00007.matelogic.com.arudp dpt:6430
ACCEPT tcp -- anywhere pc-00009.matelogic.com.arudp dpt:27015
ACCEPT tcp -- anywhere pc-00069.matelogic.com.arudp dpt:6474

Comment: The last 3 lines must be "udp" protocol.

[CharlieBrady]

Ok, time to get it working first and then find out what's wrong

Quite the wrong thing to do. Find out what's wrong, then fix it.

Here's the ultimate recipe:

Step 1 - apply all updates
Step 2 - if there's still a malfunction, report via the Bug Tracker